ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java - ranger - Git at Google

 /*
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.ranger.authorization.presto.authorizer;

 import io.prestosql.spi.connector.CatalogSchemaName;
 import io.prestosql.spi.connector.CatalogSchemaRoutineName;
 import io.prestosql.spi.connector.CatalogSchemaTableName;
 import io.prestosql.spi.connector.ColumnMetadata;
 import io.prestosql.spi.connector.SchemaTableName;
 import io.prestosql.spi.security.PrestoPrincipal;
 import io.prestosql.spi.security.Privilege;
 import io.prestosql.spi.security.SystemAccessControl;
 import io.prestosql.spi.security.SystemSecurityContext;
 import io.prestosql.spi.security.ViewExpression;
 import io.prestosql.spi.type.Type;
 import org.apache.ranger.plugin.classloader.RangerPluginClassLoader;

 import javax.inject.Inject;
 import java.security.Principal;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;

 public class RangerSystemAccessControl
   implements SystemAccessControl {
   private static final String RANGER_PLUGIN_TYPE = "presto";
   private static final String RANGER_PRESTO_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl";

   final private RangerPluginClassLoader rangerPluginClassLoader;
   final private SystemAccessControl systemAccessControlImpl;

   @Inject
   public RangerSystemAccessControl(RangerConfig config) {
     try {
       rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass());

       @SuppressWarnings("unchecked")
       Class<SystemAccessControl> cls = (Class<SystemAccessControl>) Class.forName(RANGER_PRESTO_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader);

       activatePluginClassLoader();

       Map<String, String> configMap = new HashMap<>();
       if (config.getKeytab() != null && config.getPrincipal() != null) {
         configMap.put("ranger.keytab", config.getKeytab());
         configMap.put("ranger.principal", config.getPrincipal());
       }

       configMap.put("ranger.use_ugi", Boolean.toString(config.isUseUgi()));

       if (config.getHadoopConfigPath() != null) {
         configMap.put("ranger.hadoop_config", config.getHadoopConfigPath());
       }

       systemAccessControlImpl = cls.getDeclaredConstructor(Map.class).newInstance(configMap);
     } catch (Exception e) {
       throw new RuntimeException(e);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanSetSystemSessionProperty(context, propertyName);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanAccessCatalog(context, catalogName);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public Set<String> filterCatalogs(SystemSecurityContext context, Set<String> catalogs) {
     Set<String> filteredCatalogs;
     try {
       activatePluginClassLoader();
       filteredCatalogs = systemAccessControlImpl.filterCatalogs(context, catalogs);
     } finally {
       deactivatePluginClassLoader();
     }
     return filteredCatalogs;
   }

   @Override
   public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanCreateSchema(context, schema);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanDropSchema(SystemSecurityContext context, CatalogSchemaName schema) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanDropSchema(context, schema);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanRenameSchema(SystemSecurityContext context, CatalogSchemaName schema, String newSchemaName) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanRenameSchema(context, schema, newSchemaName);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanShowSchemas(SystemSecurityContext context, String catalogName) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanShowSchemas(context, catalogName);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public Set<String> filterSchemas(SystemSecurityContext context, String catalogName, Set<String> schemaNames) {
     Set<String> filteredSchemas;
     try {
       activatePluginClassLoader();
       filteredSchemas = systemAccessControlImpl.filterSchemas(context, catalogName, schemaNames);
     } finally {
       deactivatePluginClassLoader();
     }
     return filteredSchemas;
   }

   @Override
   public void checkCanCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanCreateTable(context, table);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanDropTable(SystemSecurityContext context, CatalogSchemaTableName table) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanDropTable(context, table);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanRenameTable(SystemSecurityContext context, CatalogSchemaTableName table, CatalogSchemaTableName newTable) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanRenameTable(context, table, newTable);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public Set<SchemaTableName> filterTables(SystemSecurityContext context, String catalogName, Set<SchemaTableName> tableNames) {
     Set<SchemaTableName> filteredTableNames;
     try {
       activatePluginClassLoader();
       filteredTableNames = systemAccessControlImpl.filterTables(context, catalogName, tableNames);
     } finally {
       deactivatePluginClassLoader();
     }
     return filteredTableNames;
   }

   @Override
   public void checkCanAddColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanAddColumn(context, table);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanDropColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanDropColumn(context, table);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanRenameColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanRenameColumn(context, table);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanSelectFromColumns(context, table, columns);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanInsertIntoTable(SystemSecurityContext context, CatalogSchemaTableName table) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanInsertIntoTable(context, table);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanDeleteFromTable(SystemSecurityContext context, CatalogSchemaTableName table) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanDeleteFromTable(context, table);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanCreateView(SystemSecurityContext context, CatalogSchemaTableName view) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanCreateView(context, view);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanDropView(SystemSecurityContext context, CatalogSchemaTableName view) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanDropView(context, view);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanCreateViewWithSelectFromColumns(context, table, columns);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, String catalogName, String propertyName) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanSetCatalogSessionProperty(context, catalogName, propertyName);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanImpersonateUser(SystemSecurityContext context, String userName) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanImpersonateUser(context, userName);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanExecuteQuery(SystemSecurityContext context) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanExecuteQuery(context);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanViewQueryOwnedBy(context, queryOwner);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public Set<String> filterViewQueryOwnedBy(SystemSecurityContext context, Set<String> queryOwners) {
     Set<String> filteredQueryOwners;
     try {
       activatePluginClassLoader();
       filteredQueryOwners = systemAccessControlImpl.filterViewQueryOwnedBy(context, queryOwners);
     } finally {
       deactivatePluginClassLoader();
     }
     return filteredQueryOwners;
   }

   @Override
   public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanKillQueryOwnedBy(context, queryOwner);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanShowCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanShowCreateTable(context, table);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanSetTableComment(SystemSecurityContext context, CatalogSchemaTableName table) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanSetTableComment(context, table);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanShowTables(SystemSecurityContext context, CatalogSchemaName schema) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanShowTables(context, schema);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanShowColumns(SystemSecurityContext context, CatalogSchemaTableName table) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanShowColumns(context, table);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public List<ColumnMetadata> filterColumns(SystemSecurityContext context, CatalogSchemaTableName table, List<ColumnMetadata> columns) {
     List<ColumnMetadata> filteredColumns;
     try {
       activatePluginClassLoader();
       filteredColumns = systemAccessControlImpl.filterColumns(context, table, columns);
     } finally {
       deactivatePluginClassLoader();
     }
     return filteredColumns;
   }

   @Override
   public void checkCanRenameView(SystemSecurityContext context, CatalogSchemaTableName view, CatalogSchemaTableName newView) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanRenameView(context, view, newView);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanGrantTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal grantee, boolean withGrantOption) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanGrantTablePrivilege(context, privilege, table, grantee, withGrantOption);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanRevokeTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal revokee, boolean grantOptionFor) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanRevokeTablePrivilege(context, privilege, table, revokee, grantOptionFor);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanShowRoles(SystemSecurityContext context, String catalogName) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanShowRoles(context, catalogName);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public Optional<ViewExpression> getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) {
     Optional<ViewExpression> viewExpression;
     try {
       activatePluginClassLoader();
       viewExpression = systemAccessControlImpl.getRowFilter(context, tableName);
     } finally {
       deactivatePluginClassLoader();
     }
     return viewExpression;
   }

   @Override
   public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
     Optional<ViewExpression> viewExpression;
     try {
       activatePluginClassLoader();
       viewExpression = systemAccessControlImpl.getColumnMask(context, tableName, columnName, type);
     } finally {
       deactivatePluginClassLoader();
     }
     return viewExpression;
   }

   @Override
   public void checkCanSetUser(Optional<Principal> principal, String userName) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanSetUser(principal, userName);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String functionName, PrestoPrincipal grantee, boolean grantOption) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanGrantExecuteFunctionPrivilege(context, functionName, grantee, grantOption);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, PrestoPrincipal principal) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanSetSchemaAuthorization(context, schema, principal);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchemaName schemaName) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanShowCreateSchema(context, schemaName);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanExecuteProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName procedure) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanExecuteProcedure(systemSecurityContext, procedure);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   @Override
   public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String functionName) {
     try {
       activatePluginClassLoader();
       systemAccessControlImpl.checkCanExecuteFunction(systemSecurityContext, functionName);
     } finally {
       deactivatePluginClassLoader();
     }
   }

   private void activatePluginClassLoader() {
     if (rangerPluginClassLoader != null) {
       rangerPluginClassLoader.activate();
     }
   }

   private void deactivatePluginClassLoader() {
     if (rangerPluginClassLoader != null) {
       rangerPluginClassLoader.deactivate();
     }
   }
 }
	/*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.ranger.authorization.presto.authorizer;

	import io.prestosql.spi.connector.CatalogSchemaName;
	import io.prestosql.spi.connector.CatalogSchemaRoutineName;
	import io.prestosql.spi.connector.CatalogSchemaTableName;
	import io.prestosql.spi.connector.ColumnMetadata;
	import io.prestosql.spi.connector.SchemaTableName;
	import io.prestosql.spi.security.PrestoPrincipal;
	import io.prestosql.spi.security.Privilege;
	import io.prestosql.spi.security.SystemAccessControl;
	import io.prestosql.spi.security.SystemSecurityContext;
	import io.prestosql.spi.security.ViewExpression;
	import io.prestosql.spi.type.Type;
	import org.apache.ranger.plugin.classloader.RangerPluginClassLoader;

	import javax.inject.Inject;
	import java.security.Principal;
	import java.util.HashMap;
	import java.util.List;
	import java.util.Map;
	import java.util.Optional;
	import java.util.Set;

	public class RangerSystemAccessControl
	implements SystemAccessControl {
	private static final String RANGER_PLUGIN_TYPE = "presto";
	private static final String RANGER_PRESTO_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl";

	final private RangerPluginClassLoader rangerPluginClassLoader;
	final private SystemAccessControl systemAccessControlImpl;

	@Inject
	public RangerSystemAccessControl(RangerConfig config) {
	try {
	rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass());

	@SuppressWarnings("unchecked")
	Class<SystemAccessControl> cls = (Class<SystemAccessControl>) Class.forName(RANGER_PRESTO_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader);

	activatePluginClassLoader();

	Map<String, String> configMap = new HashMap<>();
	if (config.getKeytab() != null && config.getPrincipal() != null) {
	configMap.put("ranger.keytab", config.getKeytab());
	configMap.put("ranger.principal", config.getPrincipal());
	}

	configMap.put("ranger.use_ugi", Boolean.toString(config.isUseUgi()));

	if (config.getHadoopConfigPath() != null) {
	configMap.put("ranger.hadoop_config", config.getHadoopConfigPath());
	}

	systemAccessControlImpl = cls.getDeclaredConstructor(Map.class).newInstance(configMap);
	} catch (Exception e) {
	throw new RuntimeException(e);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanSetSystemSessionProperty(context, propertyName);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanAccessCatalog(context, catalogName);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public Set<String> filterCatalogs(SystemSecurityContext context, Set<String> catalogs) {
	Set<String> filteredCatalogs;
	try {
	activatePluginClassLoader();
	filteredCatalogs = systemAccessControlImpl.filterCatalogs(context, catalogs);
	} finally {
	deactivatePluginClassLoader();
	}
	return filteredCatalogs;
	}

	@Override
	public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanCreateSchema(context, schema);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanDropSchema(SystemSecurityContext context, CatalogSchemaName schema) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanDropSchema(context, schema);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanRenameSchema(SystemSecurityContext context, CatalogSchemaName schema, String newSchemaName) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanRenameSchema(context, schema, newSchemaName);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanShowSchemas(SystemSecurityContext context, String catalogName) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanShowSchemas(context, catalogName);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public Set<String> filterSchemas(SystemSecurityContext context, String catalogName, Set<String> schemaNames) {
	Set<String> filteredSchemas;
	try {
	activatePluginClassLoader();
	filteredSchemas = systemAccessControlImpl.filterSchemas(context, catalogName, schemaNames);
	} finally {
	deactivatePluginClassLoader();
	}
	return filteredSchemas;
	}

	@Override
	public void checkCanCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanCreateTable(context, table);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanDropTable(SystemSecurityContext context, CatalogSchemaTableName table) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanDropTable(context, table);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanRenameTable(SystemSecurityContext context, CatalogSchemaTableName table, CatalogSchemaTableName newTable) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanRenameTable(context, table, newTable);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public Set<SchemaTableName> filterTables(SystemSecurityContext context, String catalogName, Set<SchemaTableName> tableNames) {
	Set<SchemaTableName> filteredTableNames;
	try {
	activatePluginClassLoader();
	filteredTableNames = systemAccessControlImpl.filterTables(context, catalogName, tableNames);
	} finally {
	deactivatePluginClassLoader();
	}
	return filteredTableNames;
	}

	@Override
	public void checkCanAddColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanAddColumn(context, table);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanDropColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanDropColumn(context, table);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanRenameColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanRenameColumn(context, table);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanSelectFromColumns(context, table, columns);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanInsertIntoTable(SystemSecurityContext context, CatalogSchemaTableName table) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanInsertIntoTable(context, table);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanDeleteFromTable(SystemSecurityContext context, CatalogSchemaTableName table) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanDeleteFromTable(context, table);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanCreateView(SystemSecurityContext context, CatalogSchemaTableName view) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanCreateView(context, view);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanDropView(SystemSecurityContext context, CatalogSchemaTableName view) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanDropView(context, view);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanCreateViewWithSelectFromColumns(context, table, columns);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, String catalogName, String propertyName) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanSetCatalogSessionProperty(context, catalogName, propertyName);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanImpersonateUser(SystemSecurityContext context, String userName) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanImpersonateUser(context, userName);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanExecuteQuery(SystemSecurityContext context) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanExecuteQuery(context);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanViewQueryOwnedBy(context, queryOwner);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public Set<String> filterViewQueryOwnedBy(SystemSecurityContext context, Set<String> queryOwners) {
	Set<String> filteredQueryOwners;
	try {
	activatePluginClassLoader();
	filteredQueryOwners = systemAccessControlImpl.filterViewQueryOwnedBy(context, queryOwners);
	} finally {
	deactivatePluginClassLoader();
	}
	return filteredQueryOwners;
	}

	@Override
	public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanKillQueryOwnedBy(context, queryOwner);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanShowCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanShowCreateTable(context, table);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanSetTableComment(SystemSecurityContext context, CatalogSchemaTableName table) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanSetTableComment(context, table);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanShowTables(SystemSecurityContext context, CatalogSchemaName schema) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanShowTables(context, schema);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanShowColumns(SystemSecurityContext context, CatalogSchemaTableName table) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanShowColumns(context, table);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public List<ColumnMetadata> filterColumns(SystemSecurityContext context, CatalogSchemaTableName table, List<ColumnMetadata> columns) {
	List<ColumnMetadata> filteredColumns;
	try {
	activatePluginClassLoader();
	filteredColumns = systemAccessControlImpl.filterColumns(context, table, columns);
	} finally {
	deactivatePluginClassLoader();
	}
	return filteredColumns;
	}

	@Override
	public void checkCanRenameView(SystemSecurityContext context, CatalogSchemaTableName view, CatalogSchemaTableName newView) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanRenameView(context, view, newView);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanGrantTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal grantee, boolean withGrantOption) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanGrantTablePrivilege(context, privilege, table, grantee, withGrantOption);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanRevokeTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal revokee, boolean grantOptionFor) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanRevokeTablePrivilege(context, privilege, table, revokee, grantOptionFor);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanShowRoles(SystemSecurityContext context, String catalogName) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanShowRoles(context, catalogName);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public Optional<ViewExpression> getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) {
	Optional<ViewExpression> viewExpression;
	try {
	activatePluginClassLoader();
	viewExpression = systemAccessControlImpl.getRowFilter(context, tableName);
	} finally {
	deactivatePluginClassLoader();
	}
	return viewExpression;
	}

	@Override
	public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
	Optional<ViewExpression> viewExpression;
	try {
	activatePluginClassLoader();
	viewExpression = systemAccessControlImpl.getColumnMask(context, tableName, columnName, type);
	} finally {
	deactivatePluginClassLoader();
	}
	return viewExpression;
	}

	@Override
	public void checkCanSetUser(Optional<Principal> principal, String userName) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanSetUser(principal, userName);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String functionName, PrestoPrincipal grantee, boolean grantOption) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanGrantExecuteFunctionPrivilege(context, functionName, grantee, grantOption);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, PrestoPrincipal principal) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanSetSchemaAuthorization(context, schema, principal);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchemaName schemaName) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanShowCreateSchema(context, schemaName);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanExecuteProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName procedure) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanExecuteProcedure(systemSecurityContext, procedure);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	@Override
	public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String functionName) {
	try {
	activatePluginClassLoader();
	systemAccessControlImpl.checkCanExecuteFunction(systemSecurityContext, functionName);
	} finally {
	deactivatePluginClassLoader();
	}
	}

	private void activatePluginClassLoader() {
	if (rangerPluginClassLoader != null) {
	rangerPluginClassLoader.activate();
	}
	}

	private void deactivatePluginClassLoader() {
	if (rangerPluginClassLoader != null) {
	rangerPluginClassLoader.deactivate();
	}
	}
	}